Computer systems are now central to most businesses. Whilst businesses typically are able to support and manage computers and networks located within their own premises, it is significantly more difficult to provide support and management of computers used by a user working at home, away from the office or the like. Whilst in some instances it is possible for the user to bring the computer system to the business premises to have it appropriately configured, most businesses do not consider a home computer their responsibility, nor is convenient for this to be done every time a configuration change or software change needs to take place.
A further issue concerns disaster recovery. Given the emphasis on a business' computer system, it is somewhat surprising that most disaster recovery scenarios give the computer system limited priority in terms of business continuity. If the business premises were to burn down, be flooded or similar, it is typically the computer system that takes the longest to be brought back online. Even with appropriate backups, restoring a full computer system can take many man days. Some businesses simply assume that users will be able to go on without computer systems, although this logic today is flawed.
The less control an organisation has over computers used in its business, the greater the threat that the business faces. There are often good reasons why users may wish to make use of computers or devices over which an organisation has little or no control. For example, a user having the occasional requirement to work from home may try to use his or her home PC, as the frequency of which the user wishes to work from home does not make the purchase and maintenance of a laptop dedicated for this purpose cost effective.
Similarly, business continuity may mean that access to the business' IT resources is permitted from an untrusted machine in the event of an emergency. Whilst security may be high on the agenda during normal business operations, when a business is in disaster recovery, much of the emphasis on security is sidelined in an attempt to keep the business running. This may mean that machines that are not appropriately under the control of the business are used simply because they are the only ones that are available. Similarly, a user may require access to corporate resources from an untrusted machine in the event of a laptop loss or failure or where they are in an environment such as an internet café where only the shared machines provided can access the internet.
Various different approaches to these problems have been proposed. Some systems are now beginning to offer management of virtualised systems. A virtual environment is installed on an end user machine and then a virtual system image is provided that can be run in the virtual environment. The virtual system is typically defined and controlled by the business and cannot be changed by the user. This enables a business to manage and secure an environment, home desktops and the like without the need to control the whole machine. However, this is an extremely invasive measure that requires software to be installed on the machine to provide support for the virtual environment. Additionally, the virtual environment typically runs while the existing operating system is active. Furthermore, the system is not wholly under the control of the business as the virtual environment software is still exposed to the user and also requires a functional operating system on the machine. Whilst the business is given a measure of security via the virtualisation technology, the software is directly installed on the home user's PC and there are limits to the extent to which that PC and its resources can be locked down and to which tampering and replication of the virtualised environment can be prevented.
In respect of remote workers, whilst there exist systems that attempt to provide a secure environment through which corporate resources can be accessed from a non-trusted machine, these are still weak and often leave a footprint that can be cracked or data otherwise recovered once the user leaves the untrusted machine.
Various systems have been suggested to remove a footprint once the user leaves the untrusted machine. However these typically involve wiping virtual memory and are flawed because:                The virtual/physical mechanism may have been hijacked by a rootkit or similar exploit (for example, a hook may be inserted into the page fault handler)        The virtual memory (VM) module may arbitrarily remove the physical page at anytime.        The software may clear itself if the current page is stolen while running.        The os data structures will be destroyed by the cleaning process and the software actually wiping the virtual memory would be affected and may not run properly.        